Submit a ticketCall us

WebinarUpcoming Webinar: How Help Desk and Remote Support Pays for Itself

Learn how help desk software can simplify ticketing management, allow you to track hardware and software assets, and accelerate the speed of IT support and service delivery. Gain insights on how remote support tools allow your IT team to maximize their efficiency and ticket resolution by expediting desktop troubleshooting, ultimately helping keep end-users happy and productive.

Register here.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator Guide > Collecting Windows Filtering Platform (WFP) events in LEM

Collecting Windows Filtering Platform (WFP) events in LEM

Updated: September 15, 2017

Windows Filtering Platform (WFP) logs firewall and IPsec related events to the System Security Log. These alerts are background events that require additional LEM resources to process and are not recommended for an optimized LEM deployment.

About Windows WFP events and LEM performance

By default, WFP logging is disabled in the Windows Security Log connector. Tuning out Windows noise in group policies has the following advantages:

  • Reduces the space that these events occupy in the Security Event log
  • Reduces network activity
  • Reduces demand on LEM system resources (such as CPU, memory, and disk space)
     

The Windows Security Log connector stopped collecting WFP data in LEM version 6.2.

Configure LEM to collect WFP events (Optional)

If necessary, you can enable WFP event logging in LEM.
 

SolarWinds strongly recommends that you keep WFP logging turned off.


To collect WFP events in LEM, configure the Windows Filtering Platform Events connector. Enabling this connector will result in LEM collecting a huge volume of data . To manage this data, see the following sections.

Improve LEM performance by tuning Windows WFP events

If you collect WFP events in LEM, SolarWinds recommends tuning WFP in your Active Directory group policies to decrease the load that background events place on the LEM Manager. The following tables describe alerts located in the Event Distribution Policy in LEM Manager. You can filter out these events by clearing the appropriate check boxes in the Console, Database, Warehouse, and Rules columns. LEM will process the remaining events.
 

In LEM, the terms event and alert are interchangeable .


SolarWinds recommends disabling WFP alerts using Group or Local Policy.
 

The ProviderSID value in the following alerts match the Windows Security Auditing Event ID format where Event ID is one of the Windows Event IDs listed in the following table.

 

Alert Name Windows Event ID
TCPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
IPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
UDPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
ICMPTrafficAudit 5152, 5156, 5157, 5158, 5159
RoutingTrafficAudit 5152, 5156
PPTPTrafficAudit 5152

 

Table of Descriptions by Event ID

Event ID Brief Description
5152 Windows Filtering Platform blocked a packet
5154 Windows Filtering Platform permitted an application or service to listen on a port for incoming connections
5156 Windows Filtering Platform allowed a connection
5157 Windows Filtering Platform blocked a connection
5158 Windows Filtering Platform permitted a bind to a local port
5159 Windows Filtering Platform blocked a bind to a local port
Last modified

Tags

Classifications

Public